On Mon, 15 Dec 2014 17:36:40 -0800 Ryan Sleevi <[email protected]> wrote:
> > > * Server operator uses apache+openssl wiht cipher string > > > "HIGH:!MEDIUM:!LOW:!aNULL@STRENGTH". This seems reasonable. > > > Only HIGH security ciphers and sort them by strength. > > > * Browser (Chrome or Firefox) will take the first preferred cipher > > > suite it supports. As it doesn't support AES-GCM-256 it will > > > choose AES-CBC_256. > > > > This isn't an accurate description of the flow. > > The client advertises its set of ciphersuites in the client hello. The > server is responsible for choosing the ciphersuite used, and may take > either client priority into consideration (e.g. if the client is a > constrained device, it might intentionally prefer a > weaker-but-efficient algorithm; this was classically true for 3DES > and RC4) or it may ignore this and choose at the server level. For > example, with Apache, > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder Ah, sorry, of course you're right. My analysis of the situation was wrong, however it doesn't really change the outcome: There are a number of sites probably configured in good faith with secure settings that result in CBC being preferred over GCM. (But good to note that a quick fix is to disable SSLHonorCipherOrder on affected apache servers) -- Hanno Böck http://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
pgpwmI84M_rUC.pgp
Description: OpenPGP digital signature
_______________________________________________ openssl-dev mailing list [email protected] https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
